Requirements for Efficient Storage GuardPoints on Linux

A LUN must meet the following requirements before it can be protected as an ES GuardPoint:

• The LUN is exported from a storage array must be enhanced with the CTE-Efficient Storage capability.

• The storage array exporting the LUN to the protected host must be a KMIP client registered with the same CipherTrust Manager as the protected host.

• The protected host must have direct physical access to the LUN through Fiber Channel Protocol (FCP) or iSCSI.

• The entire LUN must be protected as one and only one ES GuardPoint.

• In an ESXi environment:

  • The LUN added to a virtual machine must be configured for Raw Device Mapping in physical mode or the LUN must be part of a VVol datastore.

  • The LUN cannot be a VMDK or a disk in a datastore.

• Devices protected by an ES GuardPoint cannot currently be initialized/added as physical volumes for use by LVM. When LVM support is added, it will be announced in the CTE Release Notes.

• Existing devices divided into one or more logical partitions cannot be guarded as ES GuardPoints. Logical partitions in such devices cannot be accessed or separately guarded after guarding the device.

  For example, the logical partition /dev/sda1 or /dev/sda2 inside /dev/sda cannot be accessed after guarding /dev/sda as an ES GuardPoint. Using /dev/secvm/dev/sda1 is invalid as /dev/secvm/dev/sda1 is not a GuardPoint and cannot be guarded, and, as such, would not provide access to clear-text data on /dev/sda1.

  If you want to use VVol datastores with CTE-Efficient Storage devices, see the available documentation from the Storage Array system vendor.